l: remove ejabberd

This commit is contained in:
lassulus 2021-01-23 20:59:54 +01:00
parent 7fc9876739
commit 8adbc446bf
4 changed files with 0 additions and 242 deletions

View File

@ -138,16 +138,6 @@ with import <stockholm/lib>;
enable = true; enable = true;
}; };
} }
{
lass.ejabberd = {
enable = true;
hosts = [ "lassul.us" ];
};
krebs.iptables.tables.filter.INPUT.rules = [
{ predicate = "-p tcp --dport xmpp-client"; target = "ACCEPT"; }
{ predicate = "-p tcp --dport xmpp-server"; target = "ACCEPT"; }
];
}
{ {
imports = [ imports = [
<stockholm/lass/2configs/realwallpaper.nix> <stockholm/lass/2configs/realwallpaper.nix>

View File

@ -3,7 +3,6 @@ _:
imports = [ imports = [
./bindfs.nix ./bindfs.nix
./dnsmasq.nix ./dnsmasq.nix
./ejabberd
./folderPerms.nix ./folderPerms.nix
./hosts.nix ./hosts.nix
./klem.nix ./klem.nix

View File

@ -1,128 +0,0 @@
with import <stockholm/lib>;
{ config, ... }: let
# See https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example
ciphers = concatStringsSep ":" [
"ECDHE-ECDSA-AES256-GCM-SHA384"
"ECDHE-RSA-AES256-GCM-SHA384"
"ECDHE-ECDSA-CHACHA20-POLY1305"
"ECDHE-RSA-CHACHA20-POLY1305"
"ECDHE-ECDSA-AES128-GCM-SHA256"
"ECDHE-RSA-AES128-GCM-SHA256"
"ECDHE-ECDSA-AES256-SHA384"
"ECDHE-RSA-AES256-SHA384"
"ECDHE-ECDSA-AES128-SHA256"
"ECDHE-RSA-AES128-SHA256"
];
protocol_options = [
"no_sslv2"
"no_sslv3"
"no_tlsv1"
"no_tlsv1_10"
];
in /* yaml */ ''
access_rules:
announce:
- allow: admin
local:
- allow: local
configure:
- allow: admin
register:
- allow
s2s:
- allow
trusted_network:
- allow: loopback
acl:
local:
user_regexp: ""
loopback:
ip:
- "127.0.0.0/8"
- "::1/128"
- "::FFFF:127.0.0.1/128"
hosts: ${toJSON config.hosts}
language: "en"
listen:
-
port: 5222
ip: "::"
module: ejabberd_c2s
shaper: c2s_shaper
certfile: ${toJSON config.certfile.path}
ciphers: ${toJSON ciphers}
dhfile: ${toJSON config.dhfile.path}
protocol_options: ${toJSON protocol_options}
starttls: true
starttls_required: true
tls: false
tls_compression: false
max_stanza_size: 65536
-
port: 5269
ip: "::"
module: ejabberd_s2s_in
shaper: s2s_shaper
max_stanza_size: 131072
loglevel: 4
modules:
mod_adhoc: {}
mod_admin_extra: {}
mod_announce:
access: announce
mod_caps: {}
mod_carboncopy: {}
mod_client_state: {}
mod_configure: {}
mod_disco: {}
mod_echo: {}
mod_bosh: {}
mod_last: {}
mod_offline:
access_max_user_messages: max_user_offline_messages
mod_ping: {}
mod_privacy: {}
mod_private: {}
mod_register:
access_from: allow
access: register
# ip_access: trusted_network
registration_watchers: ${toJSON config.registration_watchers}
mod_roster: {}
mod_shared_roster: {}
mod_stats: {}
mod_time: {}
mod_vcard:
search: false
mod_version: {}
mod_http_api: {}
s2s_access: s2s
s2s_certfile: ${toJSON config.s2s_certfile.path}
s2s_ciphers: ${toJSON ciphers}
s2s_dhfile: ${toJSON config.dhfile.path}
s2s_protocol_options: ${toJSON protocol_options}
s2s_tls_compression: false
s2s_use_starttls: required
shaper_rules:
max_user_offline_messages:
- 5000: admin
- 100
max_user_sessions: 10
c2s_shaper:
- none: admin
- normal
s2s_shaper: fast
''

View File

@ -1,103 +0,0 @@
{ config, lib, pkgs, ... }@args: with import <stockholm/lib>; let
cfg = config.lass.ejabberd;
gen-dhparam = pkgs.writeDash "gen-dhparam" ''
set -efu
path=$1
bits=2048
# TODO regenerate dhfile after some time?
if ! test -e "$path"; then
${pkgs.openssl}/bin/openssl dhparam "$bits" > "$path"
fi
'';
in {
options.lass.ejabberd = {
enable = mkEnableOption "lass.ejabberd";
certfile = mkOption {
type = types.secret-file;
default = {
name = "ejabberd-certfile";
path = "${cfg.user.home}/ejabberd.pem";
owner = cfg.user;
source-path = "/var/lib/acme/lassul.us/full.pem";
};
};
dhfile = mkOption {
type = types.secret-file;
default = {
name = "ejabberd-dhfile";
path = "${cfg.user.home}/dhparams.pem";
owner = cfg.user;
source-path = "/dev/null";
};
};
hosts = mkOption {
type = with types; listOf str;
};
pkgs.ejabberdctl = mkOption {
type = types.package;
default = pkgs.writeDashBin "ejabberdctl" ''
exec ${pkgs.ejabberd}/bin/ejabberdctl \
--config ${toFile "ejabberd.yaml" (import ./config.nix {
inherit pkgs;
config = cfg;
})} \
--logs ${shell.escape cfg.user.home} \
--spool ${shell.escape cfg.user.home} \
"$@"
'';
};
registration_watchers = mkOption {
type = types.listOf types.str;
default = [
config.krebs.users.tv.mail
];
};
s2s_certfile = mkOption {
type = types.secret-file;
default = cfg.certfile;
};
user = mkOption {
type = types.user;
default = {
name = "ejabberd";
home = "/var/ejabberd";
};
};
};
config = lib.mkIf cfg.enable {
environment.systemPackages = [ cfg.pkgs.ejabberdctl ];
krebs.secret.files = {
ejabberd-certfile = cfg.certfile;
ejabberd-s2s_certfile = cfg.s2s_certfile;
};
systemd.services.ejabberd = {
wantedBy = [ "multi-user.target" ];
after = [
config.krebs.secret.files.ejabberd-certfile.service
config.krebs.secret.files.ejabberd-s2s_certfile.service
"network.target"
];
partOf = [
config.krebs.secret.files.ejabberd-certfile.service
config.krebs.secret.files.ejabberd-s2s_certfile.service
];
serviceConfig = {
ExecStartPre = "${gen-dhparam} ${cfg.dhfile.path}";
ExecStart = "${cfg.pkgs.ejabberdctl}/bin/ejabberdctl foreground";
PermissionsStartOnly = true;
SyslogIdentifier = "ejabberd";
User = cfg.user.name;
TimeoutStartSec = 60;
};
};
users.users.${cfg.user.name} = {
inherit (cfg.user) home name uid;
createHome = true;
};
};
}